[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: Announcing TGP - Thor's Godly Privacy
From:       "Wayne Anderson" <wfrazee () wynweb ! net>
Date:       2010-07-16 16:26:09
Message-ID: 005a01cb2503$99accf40$cd066dc0$ () wynweb ! net
[Download RAW message or body]

Phillip Macey wrote:
>Actually, even if you don't release your source someone can easily
re-distribute a look alike program with trojan's included.  Just write a new
program and mimic the user interfaces. Once the trojan is installed, bomb
out with an error message. The unfortunate people who ran it will not know
any better other than thinking TGP is a buggy program and not worth the
bother of trying it again. How can I know that you are not releasing a
program with a trojan buried within it somewhere?

Correct.  

How can I know the copy of [insert open source program here] isn't a
modified copy or a look alike trojan?  Yes, there are authoritative sites
which have hashed and signed packages but think about the myriad of
different distributions that people use and how few of actual end users
actually use the origin project's distribution.  Most distributions have
procedures to address this.  No matter where you are getting software on the
internet, there is a chain of trust that is implied in the decision to
obtain and rely on whatever the software is.  Trust in the technical and
process mechanisms for development, and packaging, and the people executing
them faithfully.  I am not sure the point really says anything about TGP
versus any other software one might obtain.

The other thing to consider here is the userbase likely to know of and use
an application like TGP.  This isn't Microsoft Office.  This is a specialty
privacy/encryption application that has been announced to a subset of
security conscious users.  This email discussion is probably at a higher
level of critical use analysis than some huge proportion of software on the
internet will ever get before the end user clicks download.



>Both open and closed source have their place but yours is not a good reason
to be closed. For the record, Im not trying to convince you that you should
release the source.. It is yours to do what you want with. 
You don't need a reason to keep it to yourself if thats what you want to do.
I am also not trying to suggest that you are releasing a trojan or incorrect
implementation (I really dont have any way to tell) ;-)

Oh, really?

What *IS* a good reason to close source?

I like the concept of open source.  I like the opportunity to choose from a
myriad ways to license your software to a general community and potentially
provide the opportunity for others with experience in other areas, and
different skills and viewpoints, to make improvements on that software and
potentially make those improvements available to others.  The modern open
source "movement" is just that - its almost like religion.  If you, as an
individual developer, make the choice to release a closed source binary, in
some circles you have shown yourself to be a barbarian heathen because you
have not incorporated the software freedoms that this person or that person
expects.

As the developer, it should be your choice to choose the model under which
you intend for your application to exist in the user ecosystem.  It is one
thing to suggest a different model that might have benefits for an
application.  It is quite another to imply that one should not have the
ability to make that choice simply because they are the author and do not
want to use an open source model. 

-W

[prev in list] [next in list] [prev in thread] [next in thread]